Agent Security Bench (ASB): Formalizing and Benchmarking Attacks and Defenses in LLM-based Agents

Although LLM-based agents, powered by Large Language Models (LLMs), can use external tools and memory mechanisms to solve complex real-world tasks, they may also introduce critical security vulnerabilities. However, the existing literature does not comprehensively evaluate attacks and defenses against LLMbased agents. To address this, we introduce Agent Security Bench (ASB), a comprehensive framework designed to formalize, benchmark, and evaluate the attacks and defenses of LLM-based agents, including 10 scenarios (e.g., e-commerce, autonomous driving, finance), 10 agents targeting the scenarios, over 400 tools, 27 different types of attack/defense methods, and 7 evaluation metrics. Based on ASB, we benchmark 10 prompt injection attacks, a memory poisoning attack, a novel Plan-of-Thought backdoor attack, 4 mixed attacks, and 11 corresponding defenses across 13 LLM backbones. Our benchmark results reveal critical vulnerabilities in different stages of agent operation, including system prompt, user prompt handling, tool usage, and memory retrieval, with the highest average attack success rate of 84.30%, but limited effectiveness shown in current defenses, unveiling important works to be done in terms of agent security for the community. We also introduce a new metric to evaluate the agents' capability to balance utility and security. Our code can be found at https: //github.com/agiresearch/ASB . Furthermore, ASB explores the vulnerabilities in agents performing tasks in diverse settings. Specifically, ASB evaluates across 10 task scenarios, 10 corresponding agents, and over 400 tools, including both normal and attack tools, and 400 tasks, divided into aggressive and non-aggressive types. The aggressive tasks assess the agent's refusal rate in response to risky or aggressive instructions. Our key contributions are summarized as follows: ① We design and develop Agent Security Bench (ASB), the first comprehensive benchmark including 10 scenarios (e.g., e-commerce, autonomous driving, finance), 10 agents targeting the scenarios, over 400 tools and tasks for evaluating the security of LLM-based agents against numerous attacks and defense strategies. ② We propose a novel PoT Backdoor Attack, which embeds hidden instructions into the system prompt, exploiting the agent's planning process to achieve high attack success rates. ③ We formalize and categorize various adversarial threats targeting key components of LLM agents, including DPI, IPI, Memory Poisoning Attacks, PoT Backdoor Attacks, and Mixed Attacks, covering vulnerabilities in system prompt definition, user prompt handling, memory retrieval, and tool usage. ④ We benchmark 27 different types of attacks and defenses on ASB across 13 LLM backbones with 7 metrics, demonstrating that LLM-based agents are vulnerable to the attacks, with the highest average attack success rates exceeding 84.30%. In contrast, existing defenses are often ineffective. Our work highlights the need for stronger defenses to protect LLM agents from sophisticated adversarial techniques. ⑤ We introduce the Net Resilient Performance (NRP) metric to assess the agents' balance between utility and security and emphasize the importance of performance testing on ASB for selecting suitable backbones for agent applications.